LangGraph Checkpoint Unsafe Msgpack Deserialisation (CVE-2026-28277)

Executive Summary

What: LangGraph, a framework for building stateful multi-agent AI applications within the LangChain ecosystem, contains an unsafe deserialisation vulnerability in its checkpoint recovery mechanism (CVE-2026-28277, CVSS 6.8 MEDIUM) (NVD). The langgraph-checkpoint package (versions ≤ 1.0.9) uses msgpack deserialisation that can reconstruct arbitrary Python objects, enabling code execution if an attacker can modify checkpoint data in the backing store (GHSA-g48c-2wqr-h844).

So What: Organisations deploying LangGraph-based AI agents with persistent checkpointing (SQLite, PostgreSQL, or shared filesystem backends) face a post-exploitation escalation risk. An attacker who gains write access to the checkpoint store can inject crafted payloads that execute arbitrary code when the application resumes from a checkpoint. No patch is currently available — mitigation requires configuration-level hardening (GHSA-g48c-2wqr-h844).

Now What: Set the LANGGRAPH_STRICT_MSGPACK environment variable and configure allowed_msgpack_modules to restrict deserialisation. Restrict write access to all checkpoint storage backends. Monitor for a vendor patch release (GHSA-g48c-2wqr-h844).

Risk Rating

Affected Products

Am I Affected?

• Check if LangGraph is deployed with persistent checkpointing enabled (SQLite, PostgreSQL, or filesystem backends)
• Verify the installed version: pip show langgraph-checkpoint — any version ≤ 1.0.9 is affected (GHSA-g48c-2wqr-h844)
• Check if the LANGGRAPH_STRICT_MSGPACK environment variable is set — if not, deserialisation is unrestricted
• In-memory checkpoints (no persistent storage) are not affected — the attack requires write access to a persistent checkpoint store, which in-memory configurations do not expose (GHSA-g48c-2wqr-h844)

Abstract

CVE-2026-28277 is an unsafe deserialisation vulnerability in LangGraph's checkpoint recovery mechanism. The langgraph-checkpoint package uses Python's msgpack library to serialise and deserialise checkpoint state, but the deserialisation process can reconstruct arbitrary Python objects without sufficient validation (NVD). This is a classic CWE-502 (Deserialisation of Untrusted Data) pattern. Exploitation requires privileged write access to the checkpoint persistence layer — database, filesystem, or remote store — making this a post-exploitation escalation vector rather than a direct remote exploit (GHSA-g48c-2wqr-h844). The CVSS vector reflects this with AV:A/PR:H (Adjacent Network, High Privileges) (NVD). No patch is currently available; mitigation relies on the LANGGRAPH_STRICT_MSGPACK environment variable and allowed_msgpack_modules parameter to restrict object reconstruction (GHSA-g48c-2wqr-h844).

Key Findings

1. Unsafe msgpack deserialisation in checkpoint loading — LangGraph's checkpoint loaders reconstruct Python objects from msgpack-encoded data without type filtering or validation, enabling arbitrary object instantiation (GHSA-g48c-2wqr-h844).

2. Post-exploitation escalation vector — Exploitation requires prior compromise of the checkpoint storage backend. An attacker who already has write access to the database or filesystem can escalate to full application runtime code execution (GHSA-g48c-2wqr-h844).

3. No vendor patch available — As of 2026-03-09, no fixed version has been released. The NVD status is "Received" (NVD). Mitigation is configuration-based only (GHSA-g48c-2wqr-h844).

4. Configuration-level mitigation exists — The LANGGRAPH_STRICT_MSGPACK environment variable and allowed_msgpack_modules parameter provide allowlist-based hardening to restrict which Python modules can be reconstructed during deserialisation (GHSA-g48c-2wqr-h844).

5. Agent infrastructure attack surface (RAXE assessment) — This vulnerability highlights the risk of stateful AI agent frameworks where checkpoint persistence introduces deserialisation attack surfaces not present in stateless deployments.

Attack Flow

┌──────────────────────┐
│  1. INITIAL COMPROMISE │  Attacker gains write access to
│  Checkpoint store      │  checkpoint persistence layer
│  (prerequisite)        │  (database, filesystem, remote store)
└──────────┬─────────────┘  (GHSA-g48c-2wqr-h844)
           │
           ▼
┌──────────────────────┐
│  2. PAYLOAD CRAFTING   │  Attacker creates malicious
│  Msgpack payload       │  msgpack-encoded data containing
│                        │  dangerous object reconstruction
└──────────┬─────────────┘  (GHSA-g48c-2wqr-h844)
           │
           ▼
┌──────────────────────┐
│  3. STORE INJECTION    │  Crafted payload written to
│  Replace checkpoint    │  checkpoint table/file, replacing
│                        │  or augmenting legitimate data
└──────────┬─────────────┘  (GHSA-g48c-2wqr-h844)
           │
           ▼
┌──────────────────────┐
│  4. TRIGGER            │  Application loads/resumes from
│  Checkpoint recovery   │  compromised checkpoint during
│                        │  normal operation or restart
└──────────┬─────────────┘  (GHSA-g48c-2wqr-h844)
           │
           ▼
┌──────────────────────┐
│  5. DESERIALISATION    │  msgpack.unpack() reconstructs
│  Arbitrary objects     │  arbitrary Python objects without
│                        │  type validation
└──────────┬─────────────┘  (NVD, CWE-502)
           │
           ▼
┌──────────────────────┐
│  6. CODE EXECUTION     │  Arbitrary code runs with
│  Application context   │  application process privileges
│                        │  Full C/I/A impact
└──────────────────────┘  (NVD)

Technical Details

Vulnerability Mechanics

LangGraph uses persistent checkpointing to save and restore the state of multi-agent workflows. The checkpoint data is serialised using Python's msgpack library and stored in a backing store — SQLite databases, PostgreSQL tables, or filesystem paths (GHSA-g48c-2wqr-h844).

The core vulnerability is in the deserialisation path: when a checkpoint is loaded, msgpack reconstructs Python objects from the serialised data. Without explicit type filtering or an allowlist, this process can instantiate arbitrary Python classes, including those that execute code during construction (GHSA-g48c-2wqr-h844).

This is a well-established vulnerability class: CWE-502 — Deserialisation of Untrusted Data. The same pattern appears in multiple Python serialisation libraries and has been extensively documented in the security literature (NVD).

Attack Prerequisites

The CVSS vector AV:A/AC:L/PR:H/UI:N/S:U (NVD) encodes the following constraints:

• Attack Vector: Adjacent — the attacker must be on the same network segment or have direct access to the storage backend
• Privileges Required: High — write access to the checkpoint persistence layer is a prerequisite
• Attack Complexity: Low — once the prerequisite is met, exploitation is straightforward

This means the vulnerability is a post-exploitation escalation tool. The checkpoint store compromise already indicates a serious security breach; CVE-2026-28277 expands the blast radius from data access to runtime code execution (GHSA-g48c-2wqr-h844).

Mitigation Configuration

The vendor provides two configuration-level mitigations (GHSA-g48c-2wqr-h844):

1. LANGGRAPH_STRICT_MSGPACK environment variable — when set, enables strict deserialisation mode that restricts which Python modules can be reconstructed
2. allowed_msgpack_modules parameter — an allowlist of Python modules permitted during checkpoint deserialisation

Neither mitigation enforces strict blocking by default — both default to a permissive warn-and-allow mode, leaving all deployments vulnerable to exploitation unless explicitly hardened (GHSA-g48c-2wqr-h844).

Weakness Classification

CWE-502: Deserialisation of Untrusted Data (NVD).

No applicable MITRE ATLAS technique. This vulnerability is unsafe deserialisation in agent state persistence (CWE-502), not supply chain compromise or adversarial ML. No ATLAS v5.4.0 technique specifically covers deserialisation attacks against AI framework checkpoint/state data.

Confidence & Validation

Assessment Confidence: Medium

Detection Signatures (Formal Rules)

Detection limitations: The following rules are behavioural heuristics, not deterministic indicators. LangGraph agents routinely execute tools that spawn child processes (shells, HTTP clients, Python interpreters), meaning Rule 1 will produce false positives in environments with active agent tool-calling. Rule 2 relies on filesystem telemetry that may not be available in database-backed deployments. These rules are suitable for hunting and anomaly triage, not automated blocking.

Sigma Rule 1 — Suspicious Process Spawned by LangGraph Application (Hunting)

Detects child process execution from a Python process running LangGraph, which may indicate exploitation of unsafe msgpack deserialisation (GHSA-g48c-2wqr-h844). This rule will also fire on legitimate agent tool execution — treat matches as hunting leads requiring manual triage, not confirmed compromise.

title: Suspicious Process Spawned by LangGraph Checkpoint Deserialization
id: raxe-2026-017-sigma-001
status: experimental
description: >
  Detects suspicious child process execution from Python processes running
  LangGraph, indicating potential exploitation of CVE-2026-28277 (unsafe
  msgpack deserialization in checkpoint recovery). Based on GHSA-g48c-2wqr-h844.
references:
  - https://github.com/advisories/GHSA-g48c-2wqr-h844
  - https://nvd.nist.gov/vuln/detail/CVE-2026-28277
author: RAXE Labs (M. Hirani)
date: 2026-03-07
tags:
  - attack.execution
  - attack.t1059
  - cve.2026.28277
logsource:
  category: process_creation
  product: linux
detection:
  selection_parent:
    ParentImage|endswith:
      - '/python'
      - '/python3'
    ParentCommandLine|contains:
      - 'langgraph'
      - 'checkpoint'
  selection_child:
    Image|endswith:
      - '/sh'
      - '/bash'
      - '/curl'
      - '/wget'
      - '/nc'
      - '/ncat'
      - '/python'
      - '/python3'
    CommandLine|contains:
      - 'reverse'
      - 'connect'
      - '/dev/tcp'
      - 'base64'
      - '__import__'
      - 'subprocess'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate LangGraph applications that spawn subprocesses as part of agent tool execution
  - Development and testing environments
level: medium

Note: Severity downgraded from high to medium. The selection_parent match on ParentCommandLine|contains: 'langgraph' or 'checkpoint' combined with child process indicators will fire on legitimate LangGraph agent tool execution. This rule is a hunting heuristic, not a confirmed-compromise indicator.

Sigma Rule 2 — Checkpoint Store Anomalous Write Activity

Detects unexpected write operations to LangGraph checkpoint storage locations (GHSA-g48c-2wqr-h844).

title: LangGraph Checkpoint Store Anomalous Write Activity
id: raxe-2026-017-sigma-002
status: experimental
description: >
  Detects anomalous file modifications to LangGraph SQLite checkpoint databases
  or checkpoint directories outside normal application write patterns. An attacker
  must modify checkpoint data to exploit CVE-2026-28277. Based on GHSA-g48c-2wqr-h844.
references:
  - https://github.com/advisories/GHSA-g48c-2wqr-h844
  - https://nvd.nist.gov/vuln/detail/CVE-2026-28277
author: RAXE Labs (M. Hirani)
date: 2026-03-07
tags:
  - attack.persistence
  - attack.t1505
  - cve.2026.28277
logsource:
  category: file_change
  product: linux
detection:
  selection_checkpoint_files:
    TargetFilename|contains:
      - 'checkpoint'
      - 'langgraph'
    TargetFilename|endswith:
      - '.db'
      - '.sqlite'
      - '.sqlite3'
      - '.msgpack'
  filter_normal:
    Image|endswith:
      - '/python'
      - '/python3'
  condition: selection_checkpoint_files and not filter_normal
falsepositives:
  - Database backup or migration tools accessing checkpoint files
  - Legitimate administrative operations on checkpoint storage
level: medium

Detection Guidance 3 — Checkpoint Store Integrity Auditing

Sigma Rule 3 in the original analysis proposed detecting msgpack.unpack, object_hook, or raw=True in process command lines. This approach is not operationally sound — those strings are Python API parameters that appear in source code, not in shell command lines, and would almost never surface in process-creation telemetry.

Instead, organisations should implement checkpoint store integrity auditing:

• Database audit logging — For PostgreSQL-backed checkpoints, enable pgaudit or native audit logging to capture all INSERT, UPDATE, and DELETE operations on checkpoint tables. Alert on writes from non-application database users or unexpected source IPs.
• File integrity monitoring (FIM) — For SQLite or filesystem-backed checkpoints, deploy FIM (e.g., OSSEC, Wazuh, or osquery file_events) on checkpoint directories. Alert on modifications by any process other than the LangGraph application.
• Checkpoint content validation — Where feasible, implement application-level checksum or HMAC verification of checkpoint data before deserialisation. This detects tampering regardless of how write access was obtained.
• Database access control review — Audit which credentials and service accounts have write access to checkpoint storage. Apply principle of least privilege; the checkpoint store should only be writable by the LangGraph application process.

Detection & Mitigation

Immediate Actions

1. Set LANGGRAPH_STRICT_MSGPACK — Enable strict deserialisation mode in all LangGraph deployments by setting this environment variable. This restricts which Python modules can be reconstructed during checkpoint loading (GHSA-g48c-2wqr-h844).

2. Configure allowed_msgpack_modules — Define an explicit allowlist of Python modules permitted during checkpoint deserialisation. Only include modules required by your specific workflow (GHSA-g48c-2wqr-h844).

3. Restrict checkpoint store access — Apply principle of least privilege to checkpoint storage backends. Use database-level ACLs, filesystem permissions, or network segmentation to limit write access to the application process only.

Detection Guidance

• Process monitoring (hunting) — Deploy Sigma Rule 1 as a hunting rule on hosts running LangGraph. Matches require manual triage — the rule will also fire on legitimate agent tool execution. Requires endpoint telemetry (Sysmon, auditd, or osquery).
• File integrity monitoring — Deploy Sigma Rule 2 to detect non-application modifications to checkpoint files (SQLite databases, msgpack files). See also Detection Guidance 3 for comprehensive checkpoint store integrity auditing approaches.
• Checkpoint audit logging — Enable audit logging on checkpoint storage backends (PostgreSQL pgaudit, SQLite WAL monitoring) to detect unexpected write operations. See Detection Guidance 3 for database-level and application-level validation strategies.

Strategic Recommendations

• Monitor for vendor patch — No fixed version is currently available (NVD). Track the GHSA advisory for patch release announcements.
• Evaluate checkpoint storage isolation — Consider deploying checkpoint storage in isolated network segments with strict access controls.
• Assess deserialisation risk across AI frameworks — CWE-502 vulnerabilities in AI framework serialisation layers represent an emerging attack surface. Review all frameworks using serialisation for checkpoint/state persistence.

Indicators of Compromise

Strategic Context

The following strategic observations are RAXE analyst assessments unless otherwise attributed.

The LangGraph checkpoint deserialisation vulnerability illuminates an important class of risk in the AI agent ecosystem: stateful agent frameworks introduce deserialisation attack surfaces that do not exist in stateless deployments.

Deserialisation is AI's hidden attack surface. As AI frameworks adopt persistent state management — checkpointing for long-running agent workflows, conversation history serialisation, model weight caching — they inherit decades-old deserialisation vulnerabilities (CWE-502). The msgpack pattern in LangGraph mirrors well-known vulnerabilities in other Python serialisation libraries, but receives less scrutiny because it operates within the newer AI framework context.

Post-exploitation escalation changes risk calculus. While the CVSS 6.8 (MEDIUM) score reflects the high privilege requirement, the practical impact is significant: an attacker who compromises a database can escalate to full application runtime control (NVD). In multi-tenant agent platforms, this could theoretically enable lateral movement across customer workloads (RAXE assessment — no confirmed multi-tenant exploitation scenario has been demonstrated).

No-patch vulnerabilities require operational mitigation. The absence of a vendor fix places the remediation burden on deploying organisations. The LANGGRAPH_STRICT_MSGPACK mitigation is configuration-based and defaults to a permissive warn-and-allow mode rather than strict blocking (GHSA-g48c-2wqr-h844), meaning deployments that have not explicitly configured this variable remain vulnerable.

Agent framework security maturity lags adoption (RAXE assessment). LangGraph and the broader LangChain ecosystem are seeing growing production deployment, but security hardening guidance — particularly around serialisation, storage access, and trust boundaries — remains underdeveloped relative to the deployment footprint.

References

1. GHSA-g48c-2wqr-h844 — LangGraph checkpoint loading has unsafe msgpack deserialisation (GHSA-g48c-2wqr-h844)
2. CVE-2026-28277 — NVD entry, CVSS 6.8 MEDIUM (NVD)